IN-LINE CONTENT BASED SECURITY FOR DATA AT REST IN A NETWORK STORAGE SYSTEM
First Claim
1. A method comprising:
- receiving at a network storage server a plurality of write requests from at least one storage client via a network, the plurality of write requests including data to be written;
in the network storage server, classifying and indexing the data for possible encryption, prior to committing the data to a nonvolatile mass storage facility, based on content of the data or an attribute of the data;
encrypting at least some of the data based on results of said classifying and indexing; and
committing the data to the persistent mass storage facility, such that at least some of the data is committed to the mass storage facility in encrypted form.
1 Assignment
0 Petitions
Accused Products
Abstract
A network storage server receives multiple write requests from a set of clients via a network and internally buffers multiple data blocks written by the write requests. At a consistency point, the storage server commits the data blocks to a nonvolatile mass storage facility. The consistency point process includes using a storage operating system in the network storage server to compress the data blocks, encrypt selected data blocks, and store the compressed and (possibly) encrypted data blocks in the nonvolatile mass storage facility. Data blocks can also be fingerprinted in parallel with compression and/or encryption, to facilitate subsequent deduplication. Data blocks can be indexed and classified according to content or attributes of the data. Encryption can be applied at different levels of logical container granularity, where a separate, unique cryptographic key is used for each encrypted logical container.
158 Citations
28 Claims
-
1. A method comprising:
-
receiving at a network storage server a plurality of write requests from at least one storage client via a network, the plurality of write requests including data to be written; in the network storage server, classifying and indexing the data for possible encryption, prior to committing the data to a nonvolatile mass storage facility, based on content of the data or an attribute of the data; encrypting at least some of the data based on results of said classifying and indexing; and committing the data to the persistent mass storage facility, such that at least some of the data is committed to the mass storage facility in encrypted form. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A network storage server comprising:
-
a network interface through which to receive write requests from a plurality of clients via a network; a storage interface through which to access a persistent storage subsystem for storing data responsive to the write requests; and a storage operating system to control data storage and management operations of the network storage server, the storage operating system including a storage manager to control servicing of read and write requests, data classification logic to classify and index data from the write requests for possible encryption, based on content of said data, before said data is committed to the persistent storage subsystem; and encryption logic to encrypt at least some data from the write requests, based on output of the classification unit. - View Dependent Claims (8, 9, 10, 11)
-
-
12. A network storage system comprising:
-
a processor; a communications interface coupled to the processor; and a memory storing instructions which, when executed by the processor, cause the network storage system to perform a set of operations including processing a plurality of write requests from at least one remote processing system via a network, the plurality of write requests including data to be written; in the network storage server, classifying and indexing the data for possible encryption, prior to committing the data to a persistent storage subsystem, based on content of the data; encrypting at least some of the data based on results of said classifying and indexing; and committing the data to the persistent storage subsystem, such that at least some of the data is committed to the persistent storage subsystem in encrypted form. - View Dependent Claims (13, 14, 15, 16, 17)
-
-
18. A method comprising:
-
receiving at a network storage server a plurality of write requests from at least one storage client via a network, the plurality of write requests including data to be written; in the network storage server, classifying and indexing the data, prior to committing the data to a nonvolatile mass storage facility, based on content of the data or an attribute of the data; and modifying a security attribute of the data based on results of said classifying and indexing. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
Specification